Are sub-domain cookies sent in a parent domain HTTP request?
For instance, say I have the cookies:
Name Value Domain (not https)
ABC 1 .example.com
XYZ 0 foo.example.com
DEF 0 bar.example.com
Would XYZ@foo.example.com and DEF@bar.example.com be sent along in the HTTP-header cookies
on a reqeust to http://example.com/content
, and/or http://QQQ.example.com/content
The leading dot in the domain value
.example.com
means example.com and its subdomains. Without the leading dot, the cookie is only valid for this specific domain.Note that when setting a cookie, domain values without a leading dot will be prepended with a dot. Only when the domain parameter is not set the user agent assumes the current domain for that cookie.
So in this case, if
http://example.com/
is requested, only the cookie for.example.com
will be sent. But in case ofhttp://foo.example.com/
, both cookies for.example.com
andfoo.example.com
will be sent. And in case ofhttp://bla.foo.example.com
, only the cookie for.example.com
will be sent.The cookies of a subdomain only get sent if they were set with a domain with a leading dot on the level above it. So if www.example.com sets a cookie with domain ".example.com" then it gets sent, otherwise not.
The other way around is more confusing, the cookie set in the top level domain should only get sent to subdomains if it has the leading dot but if you are using internet explorer it will also send it if it got sent without the leading dot (ref).
No. It's the other way around: parent-domain cookies are sent in sub-domain HTTP requests.